ABSTRACT:

Cisco ASA 5500 Series Adaptive Security Appliances may experience a TCP connection exhaustion condition (no new TCP connections are accepted) that can be triggered through the receipt of specific TCP segments during the TCP connection termination phase. Appliances that are running versions 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected when they are configured for any of the following features:

IMPACT ASSESSMENT:

High

Discussion:

TCP Connection Exhaustion Denial of Service Vulnerability:

Successful exploitation of this vulnerability may lead to an exhaustion condition where the affected appliance cannot accept new TCP connections. A reload of the appliance is necessary to recover from the TCP connection exhaustion condition. If a TCP-based protocol is used for device management (like telnet, SSH, or HTTPS), a serial console connection may be needed to access to the appliance. This vulnerability was discovered during the resolution of a customer service request.

SIP Inspection Denial of Service Vulnerabilities:

Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. Cisco Bug ID CSCsy91157 was discovered during internal testing. Cisco Bug ID CSCtc96018 was discovered during the resolution of customer service requests.

SCCP Inspection Denial of Service Vulnerability:

Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition.This vulnerability was discovered during the resolution of customer service requests.

WebVPN DTLS Denial of Service Vulnerability:

Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition.This vulnerability was discovered during the resolution of customer service requests.

Crafted TCP Segment Denial of Service Vulnerability:

Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition.This vulnerability was discovered during internal testing.

Crafted IKE Message Denial of Service Vulnerability:

Successful exploitation of this vulnerability could cause all IPsec VPN tunnels (LAN-to-LAN or remote) that terminate on the security appliance to be torn down and prevent new tunnels from being established. A manual reload of the appliance is required to re-establish all VPN tunnels.This vulnerability was discovered during the resolution of customer service requests.

NTLMv1 Authentication Bypass Vulnerability:

Successful exploitation of this vulnerability could result in unauthorized access to the network or appliance. This vulnerability was discovered during internal testing.

Solution:

Cisco has issued a fix (8.3(2)).Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms.Cisco Update